I have often been asked "What would a hacker want with my network?". Most people don't see the value of a hacked network because they envision hackers as targeting an individual to exploit them personally. While this notion of personally targeted hacking can occasionally happen in the case of high profile targets, it is the exception to modern day hacking, not the rule.

Today's hackers typically use automated scripts, targeting all networks globally with email blasts in an attack commonly known as phishing. The goal of phishing is to send a convincing email to trick the end user to either visit a compromised website or execute some hidden code embedded in a document such as an Excel spreadsheet, Word document, image, or pdf.

But once you are "hacked" what would the hacker do with your network? There are many answers to this. It all depends on the motives of the hacker. They could set up a listening post on your network in a printer to watch everything you do and report back daily to further exploit you personally, they could enslave your IoT devices to be used in a denial of service attack, or they could use the slave army of your computers and IoT devices to mine cryptocurrency for them!

Yes... Mirai, The Infamous Internet of Things Army, Can Now Mine Bitcoin! You all remember that Internet of Things botnet? The one known for temporarily shutting down a number of the world's largest websites last autumn?

Well, a newer version has been detected, but as well as being able to issue DDoS attacks and the like, it's equipped to mine bitcoin.

In the digital age, it's possible for hackers to infect and take control of insecure Internet of Things (IoT) devices, say, toasters, cameras or other web-connected devices. They can then bundle them together into a botnet, using their combined capacity to shoot spam at websites or internet structures, slowing them down or sending them offline.

That's what happened in a series of attacks in the fall, using the malware dubbed Mirai.

The software was open-sourced soon after - much to the dismay of security engineers - and, since then, different strains iterating on the first version of the botnet have cropped up with added abilities.

One strain, known as ELF Linux/Mirai, has now been detected mining bitcoin for a few days, according to research from IBM X-Force, the Big Blue's cybersecurity research wing. It seems some unknown hacker (or hackers) is experimenting with using the power accumulated from IoT devices to mine the digital currency and possibly make some cash.

This could be an omen for future IoT botnet use cases, argued Dave McMillen, IBM Managed Security Services senior threat researcher and author of the report.

The team "dissected" the binary to discover that the Linux version of the malware is similar to the more typical Windows version.

"It was detected as a slave miner by multiple tools, however we are still investigating other properties of the variant," McMillen added.

While there are now many variants of the botnet, ELF Linux/Mirai has extra abilities in that it can execute 'SQL injection' (a notorious way to take control of databases) and execute so called 'brute force' attacks.

But, the Linux version has an extra add-on - the bitcoin miner component.

Future threat?IBM speculates in the report that the botnet creators may be looking for a way to make bitcoin mining with compromised IoT devices a lucrative venture.

"Realizing the power of Mirai to infect thousands of machines at a time, there is a possibility that the bitcoin miners could work together in tandem as one large miner consortium. We haven't yet determined that capability, but found it to be an interesting yet concerning possibility."

So what would the impact be to a smart-home or business automation network? Bitcoin mining is extremely CPU intensive. A network infected with Bitcoin miner malware would experience sluggish performance across all infected devices, increased heat load and a dramatic and ongoing spike in electricity consumption.

As more devices and appliances with Internet capabilities enter the market, protecting those devices from hackers becomes critical. Unfortunately, many of these non-computer, non-smartphone devices — from toilets to refrigerators to alarm systems — weren't built with security in mind.

So what can s system integrator deploying these devices do? When it comes to the so-called Internet of Things and the connected home, it's best to proactively secure the home network. There is no antivirus software for a smart TV, but you can protect your network so hacking the TV doesn’t become a backdoor into your home.

THE RISK OF THE INTERNET OF THINGS

The Internet of Things is a catchphrase referring to commonplace devices and appliances — such as thermostats, automobiles and refrigerators — that are connected to the Internet. It also includes Internet-connected "wearable" devices, such as fitness bands or Google Glass. The market for Internet of Things devices will hit $7.1 trillion by 2020, according to estimates from analysis firm International Data Corp.

Connecting everyday devices to the Internet seems like a great idea, but system integrators and users need to be mindful of the risks, warned JD Sherry, vice president of technology and solutions at Tokyo-based antivirus-software maker Trend Micro.

"No one is going to keep the door to their house unlocked," Sherry said. "You need to think [the same way] about the appliances on your network."

For example, fitness bands that monitor the wearer's location could give hackers details about daily routines and patterns as they have recently on military outposts. So could alarm systems that can be remotely accessed via smartphone apps. Burglars could use data stolen from either type of device to know when to break into homes while residents are away.

The good news is that many people already think about protecting their data, according to a survey of 1,801 tech-savvy homeowners in 11 countries conducted for network-security provider Fortinet.

In the "Internet of Things: Connected Home" survey, the results of which were released in June, 70 percent of respondents said they were somewhat or extremely concerned about the prospect of a data breach as a result of connected appliances.

HOW TO MAKE CONNECTED HOMES MORE SECURE

Here are some steps to protect your home network and the gadgets connected to it.

Secure the wireless network. The old Wired Equivalent Privacy (WEP) protocol is still widely used, but it is weak and easily compromised. Make sure the home wireless network is instead protected by the Wi-Fi Protected Access II (WPA2) protocol with only KRAK security patched devices and a strong, complex password.

Give your Wi-Fi network an obscure name, or SSID, that doesn't give attackers personal information they can use in social-engineering attempts. For instance, don't call it "[Your Name] House." Instead, call it something random, such as "NSA Surveillance Van."

Disable guest network access entirely, and to be strict about who — or what — can get on the network.

Create at least two different Wi-Fi networks with separate VLANs for the multiple SSIDs. Trey Ford, global security strategist at security company Rapid7, suggests one network for computers, tablets and smartphones used for online banking, shopping and general Web activity; another network can be for smart devices.

Good password management is essential. Neither network equipment (such as routers and switches) nor newfangled gadgets (such as smart TVs) should use default factory-set administrator passwords. Change each admin password to something suitably strong and complex, and regularly change them going forward. When possible, usernames should be also changed to make it even harder for attackers to brute-force their way in.

IS A FIREWALL ENOUGH?

No, a stand alone filtering firewall is not enough in the modern smart-home. You still need a Firewall, but it needs to have more enhanced security features. Firewall the network with a high-quality, high-performance, Next-Generation Firewall appliance. When considering cost, think of the value of all the assets you are protecting along with your time and reputation at stake.

"Every home with an Internet connection should have [a professional grade firewall],"

Most networked IoT devices include information about the ports, network protocols and IP addresses used in the owner's guide or the support website. But rather than setting the firewall to allow traffic on those specific ports with port restrictionas and port forwarding, use a VPN server and client to allow for secure remote access for both technicians and end users to the network. This will drastically cut down on opportunistic network-probing attempts.

Install a Next-Generation Firewall with an integrated unified threat management appliance (UTM) if you have a highly-connected home. It will handle intrusion detection and prevention, manage the Internet gateway and provide your network secure DNS protection.

A good Next-Generation Firewall UTM will have signatures and countermeasures to detect and stop the more common and even uncommon network entry points that attackers will use.

Utilize an effective GeoBlocking scheme with your Next-Generation Firewall. GeoBlocking automatically disallows remote connectivity attempts from designated countries or regions that have no business initiating contact with your smart home. This greatly reduces exposure to automated network probing attacks from major threat countries.

SECURITY TIPS BEYOND THE NETWORK

Once the network is secure, examine each IoT device you own— and what it is doing. Disable remote-management access and other powerful network tools if they won't be used.

Perhaps your car lets you connect to Facebook. If you don’t plan to check your Facebook page while driving, don't hand over your credentials to set up the connection. Use your phone instead — it's safer.

Install security software wherever possible, such as on mobile devices used to control IoT devices. If attackers can access a smart garage-door opener or a smart thermostat via a malicious Android app instead of by hacking the device directly, they will go with the easier option.

Many months ago (January 2017), I wrote a blog entry called "You May Be Held Liable For The Breach Of A Network Or Network Device You Recommend Or Deploy...", outlining how dealers may be held responsible in the future for the insecure networks they deploy today. The reactions were mixed, some scoffed, calling it scare tactics, but the great majority took heed, rethinking their network security standards. I think if you were to take all of the ransomware and data breach headlines written in the news between that article and this one into consideration, you would have to say that reconsidering your network security standards was the prudent thing to do.

Today, CEPro released a great article called "Cybersecurity Liability: Who's to blame if one bad IoT device Topples the Whole Network?" In their article, they bring up many of the same things I discussed back in January. The bottom line in the article is that like cybersecurity, liability is a continuum. Who is deemed negligent will change and will most certainly range from the manufacturer all the way to the integrator and down to the end user. It is a shared responsibility, but as the subject matter expert tasked with designing and securing the network, the lions share will undoubtedly fall to the integrator's feet unless the integrator can demonstrate otherwise.

Once the integrator has documented that all T's were crossed and all I's were dotted, following and even surpassing what is considered industry standard cybersecurity measures, then they can feel confident that the end user and manufacturer will shoulder the majority of the liability.

But how can the integrator do this in the ever-changing environment of the Internet and cyber-threats? There is simply no way to tell what the next big IoT device will be or what security flaws it will have. The only way to do this is to provide a secure environment on which to add these devices. By securing the network properly, we can dedicate segments of WiFi and network space for IoT devices of present and future while protecting the security and reliability of the heart of our network.

This is where the Network Guardian comes into play, locking down your network security with proven Geoblocking technology preventing unwanted foreign interlopers, Intrusion Detection & Prevention Systems (IDPS) that updates twice daily and secure Domain Name Services (DNS) that updates in real time to protect your network today and in the future.

The Halloware ransomware is a new malware offered for sale in the dark web, the author that goes online with the moniker Luc1F3R is selling it for just $40.

THE DARK WEB

Many of you have heard the CEDIA Tech Council Cybersecurity Podcast where I referred to and briefly discussed the Dark Web. For those of you who have not, you can catch it here.

The “dark web” is a part of the world wide web that requires special software to access. Once inside, websites and other services can be accessed through a browser in much the same way as the normal web.

However, some sites are effectively “hidden”, in that they have not been indexed by a search engine and can only be accessed if you know the address of the site. Special markets also operate within the dark web called, “darknet markets”, which mainly sell illegal products like drugs and firearms, paid for in the cryptocurrency Bitcoin.

The Dark Web is a subset of the Deep Web with the difference being the Deep Web is anything on the Internet not found in search browsers while the Dark Web then is classified as a small portion of the Deep Web that has been intentionally hidden and is inaccessible through standard web browsers.

While it is effectively impossible to measure, and harsh to put estimates on the size of the deep web because the majority of the information is hidden or locked inside databases. Early estimates suggested that the deep web is 400 to 550 times larger than the world wide web we experience as the Internet. So we truly only see the tip of the iceberg.

HALLOWARE - WHAT IS IT

According to the experts at Bleeping Computer, Luc1F3R started selling the Halloware this week through a dedicated portal on the Dark Web. Luc1F3R claims to be a 17-year-old college student from Northeast India. Whatever happened to selling plasma or collecting aluminum cans for beer money?

“Currently, the malware dev is selling and/or advertising his ransomware on a dedicated Dark Web portal, on Dark Web forums, two sites hosted on the public Internet, and via videos hosted on YouTube,” reported Bleeping Computer.

“The sites are offering a lifetime license for the Halloware ransomware for only $40.”

The low price has made the researchers suspicious, so they decided to investigate the case suspecting a scam.

Operational mistakes in the websites used by to Luc1F3R to sell the ransomware allowed the expert from Bleeping Computer to track down a web page where Luc1F3R was hosting the index of Halloware files, The page included weaponized documents used to deliver the malware.

One of the files in the list, hmavpncreck.exe, had the same SHA256 hash for which Luc1F3R included NoDistribute scan results in Halloware’s ad, confirming that it was the malware binary the experts were looking for.

Another file named ran.py seems to be Halloware’s source code.

“While the file was protected, Bleeping Computer managed to extract its source code, which will end up in the hands of other security researchers to create decrypters, in case someone buys this ransomware and uses it to infect real users.” continues the analysis from Bleeping Computer.

HOW IT WORKS

The ransomware encrypts files using a hardcoded AES-256 key and prepends the "(Lucifer)" string to encrypted files. For example, once encrypted, image.png will become (Lucifer)image.png.

The researchers highlighted that Halloware is a working ransomware that encrypts files using a hardcoded AES-256 key and prepends the “(Lucifer)” string to encrypted file names. For example, once encrypted a file named image.png, it will appear as (Lucifer)image.png.

Once the Halloware ransomware has completed the encryption process it pops up a window showing a creepy clown with a ransom message containing the instruction to pay the ransom and decrypt the data. The victim’s desktop wallpaper, also displays a similar message, but experts noticed that Halloware ransomware does not drop text files with ransom notes on the infected PCs.

Wannabe criminals that buy the ransomware can generate their own install by changing two images and adding their customized payment site URL.

Anyway the experts noticed that the ransomware uses a hardcoded AES key and does not save any information on a remote server, this characteristic makes the malware not useful for the criminal underground.

According to Bleeping Computer Luc1F3R is a novice without particular skills. His tutorials published on YouTube describe basic hacking techniques or promote unsophisticated malware.

Some of the video tutorials include a Luc1F3R’s GitHub account that hosts four malware strains:

WHAT THIS MEANS TO YOU

Well, if an unskilled college student can create and distribute this for beer money, then anybody can make or use ransomware like this and sell it on the Dark Web for whatever they need... The barrier to entry is now so low that anyone can build or buy attack software, and given that the authorities cannot effectively restrict or enforce protections against this, we should all be concerned.

We need to take our network and data protection into our own hands, and take it very seriously, now. While no network or computer system is unhackable, we can make our networks and systems harder targets by implementing enterprise-level best practices. Contact FIREFX today to discuss the next steps in protecting your networks and data.

The iPhone X "Face ID" allows a user to safely unlock their phone and can be used to authenticate app purchases. The iPhone X with Face ID is designed to automatically adjust to changes in the user's appearance for specific scenarios like wearing cosmetics and facials.

In the launch event, Apple Senior Vice President Phil Schiller claimed that "Face ID" was capable of distinguishing a human’s real face from masks through its Artificial intelligence

Masks tested on the iPhone X by Apple

These claims drew immediate attention from the hacker community. The competition was on to see who was going to fool the iPhone Face ID first. On Friday, November 10th a Vietnam based security companyBkav released a blog and video demonstrating how they had beaten Apple's iPhone X Face ID. The Apple X Face ID had been defeated within a week of the iPhone X release which implies it is not an effective security measure.

HOW THE HACK WORKED

Bkav hackers created a composite mask comprised of 3D printing, 2D images and some special arguments to fool the AI of Apple's Face ID.

The hack costs just $150. They used a 3D printer and the nose part designed by handmade artist, then other parts with @D printing. Again the skin is handmade to trick the Apple’s AI. The hack reveals that the recognition mechanism is not too strict, relying heavily on Face ID’s AI. The hack was accomplished with only a half of the face.

WHAT IS THE REAPER BOTNET

Last month a new "Internet of Things" (IoT) malware was announced; a strain called Reaper. Researchers from China and Israel reported that more than a million organizations are targeted by and vulnerable to this. The software is a variation of the Mirai botnet and targets newfound security weaknesses in countless Internet routers, security cameras and digital video recorders (DVRs).

Researchers believe Reaper has currently infected devices is fluctuating between 10,000 and 20,000 but a botnet vulnerability scan of the Internet has revealed an additional 2 million hosts that are vulnerable to this strain of attack. If criminals haven't yet built a million-strong botnet using the current pool of vulnerable devices, they certainly have the capacity to do so. At the flick of a switch, additional Reaper nodes could be subsumed into the botnet and used to launch a devastating attack.

Cybersecurity experts have determined that it is likely intended for use as a booter/stresser service primarily serving the intra-China DDoS-for-hire market. Reaper appears to be a product of the Chinese criminal underground; some of the general Reaper code is based on the Mirai IoT malware, but it is not an outright Mirai clone.

HOW IT IS DIFFERENT FROM MIRAI

While Reaper borrows programming code from Mirai, it is unlike Mirai in several aspects. Mirai which infects systems after trying dozens of factory-default username and password combinations, Reaper targets nine security holes across a range of consumer and commercial products. About half of those vulnerabilities were discovered only in the past few months, and so a great many devices likely remain unpatched against Reaper.

WHAT THIS MEANS TO YOU

This problem of IoT Cybersecurity is not going away. New variations will continue to be rolled out putting many integrators and users into a never ending cycle of whackamole. Trying to patch and update these devices as needed daily is ultimately a Sisyphean effort.

Since we cannot possibly keep track of the vulnerability status of each and every IoT device we add to our network, or the many unknown "Bring Your Own Device" (BYOD) activities of our end user, we must strive to limit the exposure and damage to these devices by building an IoT sandbox environment in our networks. By isolating the IoT and BYOD devices from standard network traffic, we can implement more draconian rules and limitations to protect these devices from botnet attacks and limit their impact on the rest of the more critical aspects of our networks.

Have questions of how to accomplish this? Feel free to email or call us at FIREFX.

Many people have asked, why do we call our Cybersecurity series "Hello Friend...". It comes directly from the hit USA series, "Mr. Robot", featuring a hacker that is as talented as he is troubled. As the dialogue in the image above illustrates, he has an imaginary friend in his head (played by you as the viewer) that he refers to as "Friend". The remarkable thing about this series is that besides being brilliantly written, every hack used in the story is an authentic hack, not the traditional Hollywood fakery. This is because the technical advisers are hackers and Cybersecurity experts such as Jeff Moss, an American hacker, computer and internet security expert who founded the Black Hat and DEF CON computer security conferences.

If you have not checked out the series, you really should; although watching it will make you paranoid about your own Cybersecurity! Here is a link to a hacker/fan's video describing just a few of the real hacks in the first five episodes.

WHO

Nearly all hackers and automated hacking tools available on the Darkweb utilize several Social Engineering TTPs (Tools, Techniques, and Procedures) to exploit the weakest links in any Cybersecurity scheme; people.

WHAT

As shown in the video link above, In the show Elliott prefers to hack people rather than security systems. This technique is commonly referred to as Social Engineering. Social engineering is an attack vector that relies heavily on human interaction and often involves tricking people into breaking normal security procedures.

Ask any security professional and they will tell you that the weakest link in the security chain is the human who accepts a person or scenario at face value. It doesn’t matter how many locks and deadbolts are on your doors and windows, or if have guard dogs, alarm systems, floodlights, fences with barbed wire, and armed security personnel; if you trust the person at the gate who says he is the pizza delivery guy and you let him in without first checking to see if he is legitimate you are completely exposed to whatever risk he represents.

It is infinitely easier to hack a person than it is to hack a network. The primary reason being is that network configurations can have varying, unknown, layers of security and logging in place; all of which can typically be bypassed by hacking a single user.

HOW

Here are some of the most effective social engineering tactics commonly employed by professional hackers.

Phishing: A phishing attack occurs when an attacker sends out emails to a person or list of people that appear to come from a legitimate site, such as PayPal, a well-known vendor, or a banking site, asking someone to open a document (pdf, excel, or Word doc) or visit a website to input sensitive information such as a bank account or login credentials. The document or website appears to be the real thing but is instead created by the attacker. The website or document typically contains a FUD (Fully Un-Detectable) payload consisting malware that automatically infects the person's device, granting remote access to the attacker. This attack can be used in a large-scale, automated email campaign where the attacker sends the emails and gets a list of devices that have been compromised and are ready to be further exploited.

Spear/Whale Phishing: Spear phishing and whale phishing attacks are customized phishing attacks aimed specifically at individuals in the case of spear phishing and top executives are targeted in whale phishing attacks. Attackers will use any information they find on executives and high-profile targets through sites easily accessible on the Internet. For example, a company may have bios of its executive officers on a corporate website. This information may be used by a social engineer to create a targeted spear-phishing attack on the corporate officer. Or they can use information from LinkedIn, Facebook, or other social media sites.

For example, if the bio tells how a chief financial officer graduated from University of Michigan in 1979 and enjoys playing golf (yes, some executives actually put their hobbies in their bios), an attacker may send an email to that corporate officer as if from the university alumni chapter asking him to come to a special alumni golf tournament for graduates. The executive will be likely to believe that it is authentic. The email may go on to ask the person to access a website to enter credit card information to reserve a spot in the tournament.

Because of the vast amount of information about corporate officers and other high-profile targets, whaling is becoming increasingly popular because this information makes it so easy for attackers to target them in a convincing manner.

Help Desk Call/Tech Support: The typical attacker comes from a highly technical background and will often resort to this experience when they gather information. An example of this is when a social engineer calls up a user within an organization and impersonates a help desk operator. Here is a sample of what that phone call may look like:

Attacker: “Hello. This is Steve from the help desk. Hey listen, we’ve been noticing that some passwords have leaked out, and we are calling around to make sure that people are changing their passwords. We think your password may have been compromised, so if you don’t mind, I’d like to walk you through changing it.”

User: “Sure.”

Attacker: “Great! First, I want you to hold down the Control button, the Alt button, and the Delete button at the same time. That will bring up a new screen that has several buttons. Once this appears, click on the Change Password button. Now it’s important that you type in a secure password that contains a good mixture of uppercase and lowercase letters as well as numbers so that it is difficult for an attacker to hack into your computer. What password are you going to use?”

User: “Hmm…let me think. How about Password123? Is that secure?”

Attacker: “Absolutely. Go ahead and type in the new password and press OK. I really appreciate you taking the time to do this to keep your computer secure.”

The attacker was able to use his or her knowledge of technology to convince a user to give out a password.

Vishing: The Vishing is an attack that uses the phone to perform the equivalent of a phishing attack.

A common example and one that is highly effective is to have an automated dialer call a list of numbers automatically and play a recorded message. When the phone is answered, the recorded message may say that the call is from the IRS saying there was a tax issue or a person’s bank and that their credit card may be compromised. The “victims” are asked to call a number to resolve the issue.

The user calls the number and hears another automated message that prompts the victim to enter his social security number or her credit card number, PIN, address, and whatever else the attacker may want. Another popular variation of a vishing attack is sending the original message through a text message to a cell phone instead of calling the person directly.

Social Network Engineering: Social networking sites such as Facebook and LinkedIn are an attacker’s paradise. An attacker can easily build a detailed profile about you from these sites. People post information about where they work, what they like to do, what bands they like, and more. An attacker will use the information you post on your social networking page in a number of ways:

Sending an email impersonating a friend listed on the page asking for confidential information.

Viewing pictures of a person to find out popular hang-outs and then showing up at the same spots to social-engineer the person outside of a work environment.

Discovering the person’s age, place of birth, school, and previous companies, which can all be used to target the person with a spear phishing attack.

Adding the person as a friend to build up an online relationship with a person in order to build trust. The social engineer then exploits that trust to get information from the person which could be used to launch another attack.

NLP (Neuro-Linguistic Programming): Neuro-linguistic programming (NLP) is one psychological tool used by attackers to manipulate people that, when done right, is highly successful. NLP deals with a person’s neurological processes, language, and learned behavioral responses. While NLP was originally designed to be used in therapeutic settings, it has principles social engineers use to manipulate people to do almost anything the social engineer wants.

For example, if attackers using NLP to socially engineer someone will seek ways to use their body language and a careful selection of words to give subconscious messages to the person they are trying to manipulate. They begin by matching their body language with the target’s body language. They also attempt to match their breathing rate, voice level, accent, and vocabulary with the other person. Doing this helps the attacker to build rapport on a subconscious level. They may then give other subconscious messages by changing their body language, smiling and lightly touching the person on their shoulder or arm, and using words that denote positive thoughts, images, and emotions. All of these tactile, visual, and verbal actions (called anchoringand reframing in NLP terms) give subconscious messages that influence the person to have positive feelings and gain a sense of trust and rapport with the attacker. The attacker can then direct the communication to what they are after, such as gathering information about a company’s secrets.

NLP is especially successful if you combine it with an understanding of personality styles and behavior profiling. It takes practice but is extremely successful.

RSE (Reverse Social Engineering): RSE attacks have three steps: sabotage, advertising, and assisting. In the first step, the attacker finds a way to sabotage a network. This can be as complex as launching a network attack against a target website, to as simple as sending an email from a spoofed email address telling users that they are infected with a virus. No matter what technique is employed, the attacker has either sabotaged the network or given the impression that the network is sabotaged.

Next, the attacker targets advertisements of his or her services as a security consultant. This can be done through many means including sending mailers, dropping business cards, or sending emails that advertise his or her services. At this point, the attacker has created a problem in the network (sabotage) and is placing himself/herself in a position to help (advertising). The corporation sees the advertisement, contacts the attacker under the false pretense that the attacker is a legitimate consultant, and allows the attacker to work on the network. Once in, the social engineer gives the impression of fixing the problem (assisting) but will really do something malicious, such as planting sniffers, RATs (Remote Access Trojans), keyloggers or stealing confidential data.

Piggybacking: Hacking a person to gain passwords or secret information presents one vector of attack in social engineering. But people can also be hacked to gain physical access to a site which can potentially be even more damaging. In a piggybacking attack, an attacker poses as a legitimate employee and walks into a secure building by following behind someone who has access.

A classic example is an attacker showing up at the front door of a secure facility on a rainy day at 8 am, carrying a heavy box. As an employee walks up, the attacker takes advantage of human kindness by saying, “Would you mind opening the door for me? I can’t reach my badge to open the door while carrying this box.” Because people generally want to help others, the employee will open the secure door and grant access to the attacker.

Another common example of this is for the attacker to show up in the area where employees stand outside to smoke. The attacker stands outside smoking with other employees then, when the employees finish smoking, he or she will simply walk right behind them and into the building, bypassing any physical security control such as card readers.

Once inside, the attacker can gain physical access to the network through nodes such as a printer, switch, router, or PC or hang a device on the network that can allow for automated remote access for control and monitoring.

Sex: Sex sells... period. Always has and always will. If there is one universal truth, it is that human beings can and will do dumb things when attracted to someone. When I served on fast attack submarines during the 1980s (Height of the Cold War), we were frequently told that if a really attractive female began talking with you, be extremely careful of what you say because "A" you aren't that good looking, and "B" they are either a Soviet spy or a US Naval Intelligence officer trying to get you to reveal some secret information. Using human attraction an attacker gets the user interested in them and gives them the impression that the feelings are reciprocated. This leaves the user vulnerable for the attacker to do everything from gathering insider information to pick-pocketing keys to a building while he or she is not paying attention.

This can also be done using many of the dating sites or apps. Recently there was a large scale fraud perpetrated from Nigerian nationals using fictional military service members profiles on dating services to build a false sense of intimacy with females specifically targeted for the information they shared on the site. The "soldiers" purported to be "serving overseas" and once a suitable romantic feelings and trust was built, they presented an emergency situation, bilking the unwitting victims into wiring cash to accounts in the US which were then sent back to Nigeria.

A social engineer is one who understands psychology and engineers ways to manipulate people to their advantage. Leading someone on to believe there is mutual chemistry is one of the oldest social engineering tricks in the world.

Inebriation: If an attacker is after information, nothing will get a user talking more than meeting them at a bar. If an attacker wants to learn about insider information, he or she may seek out a user who likes to go to bars. The attacker may follow people home from their work to see which ones go to bars after work, or may look people up on social networking sites to see if there are pictures or any other information that may reveal the names of bars or clubs that they visit. Armed with this information, the social engineer may strike up a conversation with the targeted person at a bar and try to get the person drunk enough to reveal information.

There are several steps an attacker may take to accomplish this. Once the attacker learns what bar the target person visits, the attacker will arrive early to strike up conversation with the bartender telling the bartender that he or she will be in later and give the bartender a large sum of cash in exchange for making sure that there always drinks ready for them. In addition, the attacker will tell the bartender that he or she is n alcoholic and no matter what drink he or she asks for, not to put alcohol in his drink. This way the attacker stays sober and can focus on this objective while the target person gets drunk.

Later that night, the attacker will approach and strike up a conversation with the user, order several rounds of shots and hard liquor on his tab, and attempt to get his target person drunk. Once drunk, the attacker can bring up the topic of work and proceed to get information that the person would otherwise never share such as how to get into a building, passwords, trade secrets, and more.

COUNTERING IT

These are just a few of many techniques used by attackers employing social engineering. Some of these involve technology (e.g., spear phishing) while others use tried and true methods of human manipulation (such as NLP).

The first step in countering social engineering is to evaluate what type of target you are. Do you have too much information about past and present activities or experiences out on the social media sites? Are you scrutinizing contacts with people and any unsolicited documents or links you may receive? Do you avoid using any information posted on your social media or in your history when creating your password schemes?

Once you have covered your issues, you need to look at your organization. If you are concerned about social engineers targeting people in your organization, you can take some steps to help thwart these attacks:

First, users should be regularly trained in how to look out for suspicious people, e-mails, and phone calls.

Second, train users to use common sense when responding to requests for information. In other words, some people just need to be taught some street smarts. Some organizations do this by spelling out in a security policy the dangers of using social networking sites and of drinking and discussing work topics with strangers (of course, this is only effective if users actually read the policies which, as we all, is wishful thinking).

Finally, employ the principle of need-to-know. The need-to-know principle states that users should only be given enough information to function. They should not be given information about other systems or about decisions made at higher levels that do not relate to their environment. This way, should an attacker try to get information out of them, they would have limited information that they could reveal.

The bottom line is that social engineering will always be around and you will only ever be as secure as the most vulnerable link in your organization. As long as you are willing to have a healthy level of paranoia and good common sense, you do not need to fear them.

It was announced today that a new WiFi vulnerability has been discovered and published called the Krack Attack. Since we all use WiFi in our homes, offices, and nearly every job we work on, I thought it would be something worth looking into together.

WHAT IS IT?Security researcher Mathy Vanhoef publicly disclosed a serious vulnerability in the WPA2 encryption protocol today. Most devices and routers currently rely on WPA2 to encrypt your WiFi traffic, so chances are you're affected. Attackers can't obtain your Wi-Fi password using this vulnerability. They can just look at your unencrypted traffic if they know what they're doing. With some devices, attackers can also perform packet injection and do some nasty things. This vulnerability is like sharing the same WiFi network in a coffee shop or airport.

WHAT CAN I DO TO PROTECT MY CLIENTS FROM IT?Vendors have known of this since July (It was just published today). So most vendors will have updates and patches that will fix this. Check with your vendor. You need to update all of the WiFi enabled things you can (laptops, WiFi enabled routers, WAPs, tablets, etc.). The important thing to consider is that both clients and WAPs need to be patched against the Krack Attack, so there are a lot of vectors to consider and when you talk about all of the little devices out there on WiFi, you get the picture of what a mess this is.

Add to that the client's BYOD & IoT products that are added by clients to your WiFi networks daily. Regrading IoT devices, consider which of those devices pose the most serious risk if unencrypted traffic is intercepted. Say, for example, a connected security camera that doesn't encrypt traffic when you're on the same WiFi network - well, that could allow attackers to snoop on raw video footage inside your home.

IF YOU ARE CONCERNED;

Take action accordingly - e.g. by pulling the most risky devices off your network until their makers issue patches. And be sure to keep an eye on the kinds of devices your kids might be connecting to your home network.

Use the HTTPS everywhere extension. You can mitigate risks by prioritizing encrypted internet traffic over unencrypted traffic. The EFF has released a neat browser extension called HTTPS Everywhere. If you're using Google Chrome, Firefox or Opera, you should considering installing the extension. There's no need to configure it, so anybody can do it.

Consider using Ethernet wherever possible to replace WiFi. Especially in high security deployments.

Over the last few weeks, several of our dealers have been asking us to lay out a direct comparison of the CUJO security appliance vs. our Network Guardian. In the Army, we have an acronym I love to use. "Give me the BLUF" (Bottom Line Up Front). When time is of the essence, this is really the best way to communicate important ideas and information. We know you do not have much time to waste, so here is the BLUF on the CUJO vs. FIREFX Network Guardian in a head to head comparison.

In this comparison we will reference CUJO's stated specs and two independent CUJO product reviews which we will link to for your benefit.

First off, we will show a side by side comparison of specifications and features.

HARDWARE SPEC DIRECT COMPARISON

Direct comparison of CUJO and FIREFX Network Guardian hardware

So as you can see, the Network Guardian has twice the number of processor cores at twice the speed of the CUJO. Also, with four times the RAM which is why we performed at over double the tested throughput at full protection. The Network Guardian also has double the Ethernet ports available, allowing for separating traffic through VLANs for greater security. In the Army we have another saying we use when we are in the field... "Two is one and one is none", or in Texas we would also say the "Bigger is better". We design all of our products with this in mind, over-engineering for today so our product will continue to perform under the demands of tomorrow.

In addition tot these hardware drawbacks, CUJO requires a separate firewall/router to be installed in front of it as described in the Small Net Builder review.

"In home networks with only a single network device, usually a Wi-Fi router connected to the Internet, this can be challenging. The CUJO firewall does not connect directly to the Internet; it needs a router in front of it."

FEATURES DIRECT COMPARISON

That's nice, but what does all this mean to me? Here is a breakdown of the feature differences.

Protects more than 50 devices: While 50 devices seems like a lot today, we need to be building a network for the future. As clients continue to add BYOD (Bring Your Own Device) products to our networks, and more devices become TCP/IP compliant/dependent, that number of 50 will become an issue. Because of our superior hardware standards, the network Guardian can easily support numbers of devices in the high hundreds to low thousands.

VPN Server: Bottom line, you need a VPN server for you to remote access all of your client sites and your clients need it to access all of their sites/applications securely. The days of port forwarding devices through the firewall must end. The Network Guardian comes with a pre-configured VPN server complete with two factor authentication and user accounts. Just change your user password, export a certificate, and begin secured connections!

Parental controls: Through VLAN separation, the Network Guardian allows for secure parental control (i.e. blocking content and scheduling access times). During setup, our remote technicians can log in and help you configure this as desired.

Remote access dealer support: As part of your support, FIREFX network engineers act as your digital concierge assisting in tire one support and basic configurations during and after setup.

GeoBlocking: The FIREFX Network Guardian blocks all unsolicited connection attempts from outside the US by default. Dropping these packets without inspecting them based on their origination greatly reduces load on the firewall and limits DOS attack effectiveness on your networks.

Customizable ProAV Command & Control rule sets: In our industry, we have a lot of automated traffic that the typical home network does not see. Much of this traffic can be misconstrued as malicious traffic and is often blocked by a typical IDPS (Intrusion Detection Prevention System). The FIREFX Network Guardian comes with a custom set of ProAV rules and can be modified for new custom rules as needed by the integrator or with the assistance of our digital concierge support.

Anti-Virus & Anti-Malware: While cloud-based anti-virus and ant-malware is a good edition to network security, it is not the end all and be all. As the Tech Radar review states "Despite some overblown claims on the CUJO website, the device can't replace your antivirus, and you'll probably need to keep the same security software you're using now." We could not agree more. As for devices that do not run anti-virus or anti-malware software such as printers, TVs, light bulbs, etc. We have built a special "protected" IoT VLAN just for them which is designed to prevent the malicious code from ever infecting them.

VLAN separation with IDPS protection: The FIREFX Network Guardian uses Enterprise level security based in VLAN separation with IDPS protection both through the firewall and behind it. We know from experience that most hacks originate behind the firewall on a compromised PC, tablet, or smartphone. By separating and protecting that traffic from all of your security, control, environmental, media, and lighting systems, you can confidently contain any security breaches that may happen to those end user deices.

24/7 status remote monitoring: FIREFX can monitor the status of all active firewall remotely and does so as part of our standard support package. This can assist you in your troubleshooting any issues in the field.

Recurring revenue plan for dealers: FIREFX helps dealers set up a recurring revenue plan around network security which is a real pain point and value add to both the customer and the dealer.

Generous margins on MSRP: The Network Guardian is a professional grade enterprise class product designed specifically for the ProAV market. We offer generous margins on wholesale for a quality product with excellent support.

MSRP pricing not made public: You won't find FIREFX products listed on Amazon, New Egg, CDW or other dealer sites. This prevents end users from shopping your cost.

Designed and supported by military trained cyber-security experts and ProAV techs: The Network Guardian is the only network security appliance designed by people from the ProAV marketplace with military cyber-security training. The result is a professional security appliance tailored to the environments you work in.

Pre-configured for rapid and easy setup: We know that time=money in business. That is why we pre-configure the Network Guardian to work right out of the box. Pre-configured features such as multiple VLANs, an active IDPS system, secure DNS, GeoBlocking, Firewall rules, DHCP servers, and a VPN server are among our many pre-configured settings.

To be fair, the CUJO is a very good idea. But in reality, network security is not as simple as plugging in a device and walking away. The CUJO appliance is probably good for a technical DIY install on a small network. For the ProAV market, the CUJO is not a good fit.

While it is both humbling and exciting to be selected as the Best New Hardware Product of 2017 by the CEDIA judges, their selection of a pure cyber-security product signifies something new in our industry. Yes, cyber-security is the new sexy in the CEDIA market place.

When both of our cyber-security best product entrants were named finalists, we were really pleasently surprised. When the Network Guardian won top honors, we were totally blown away. This recognition clearly points to a problem that is plaguing a great majority of CEDIA market dealers. While there are some that have access to competent IT staffers for network design, deployment, proper security implementation, and maintenance; the majority of dealers do not. And while the basic recommended "network security best practices" sheet from the last few years is helpful, most of us know that merely updating firmware, changing default passwords, upgrading anti-virus, and hiding behind a typical Pro AV firewall no longer offers sufficient protection.

And by the way, if you don't know what half of these things are, then you are in good company. The the typical dealer has so much other technology to master in addition to running a successful business, it is no wonder that they are forced to become jack-of-all-trades leaving little chance to become networking or cyber-security experts.

Back to the multi-layered solution. In the Army we layer everything, creating gateways to detect, record, block, and slow any hacking activity. We call this process Information Assurance or IA. We start at each device with host based anti-malware, anti-virus, firewall, and intrusion detection software. We add operating system policy control and place the devices on a domain for added security. Any wireless devices require additional 802.11 enterprise RADIUS certificate based authentication. Our networks are subdivided logically into many VLANs and physically into enclaves based on the mission requirements. Each VLAN and enclave is continually monitored by an active network based IDPS (Intrusion Detection & Prevention System) and our mail servers are aggressively scanned for viruses and malware. Any new device must have a CoN (Certificate of Networthiness) before they connect hardware/software to our networks.

Obviously we can't implement this level of security in our market place, but we must do more than we have in the past. Over the last few years, our industry has made a successful transition from the old proprietary communications technologies to a standards based Everything Over IP (EOIP) model, building robust TCP/IP networks that will support all of the controls and devices in the home and business automation environment. Our next task will be to create a stable and secure environment for our automation while adding all of the TCP/IP based Bring Your Own Devices (BYOD) to the network. Once you build the network and leave, the customer will add BYOD products to your network which will have varying levels of security depending on the manufacturer. Since we cannot control the devices added by a user, the next best thing is to provide them with a safe "sandbox" environment to add them to, thus protecting our automation and control network.

In the past I have often heard people in our industry refer to the four pillars of automation. These pillars being Lighting, Security, Environmental, and Entertainment. I believe now that we must consider the fifth element of this picture to be a solid foundation on which to build the four pillars. That foundation is cyber-security.

Over 150 products were submitted for CEDIA's Best New Hardware Product award. Of those, the judges selected 30 of the best as finalists. Both of FIREFX's new product were among those top thirty selected. The Network Guardian and the Data Vault are revolutionizing cyber security for home and small to mid sized businesses around the world.

Stop by our booth #3153 and see what FIREFX can do for your cyber security needs and help you build your recurring revenue model around your customer's cyber-security needs.

We've all heard the saying "one bad apple spoils the whole bunch," and have probably seen instances where it does apply to people. This is a real phenomenon. As they ripen, some fruits, like apples and pears, produce a gaseous hormone called ethylene, which is, among other things, a ripening agent. When you store fruits together, the ethylene each piece emits prods the others around it to ripen further, and vice versa, resulting in a bad apple ruining the bunch.

So how does this apply to your properly configured firewall and secure network? Every time you or your clients leave the protection for your network with a mobile device, they expose themselves to what we call in the US Army the "dirty Internet". While operating at offices, friends' and family members' homes, coffee shops, hotels, airports, and restaurants, these devices are exposed to potentially unprotected access to the dirty Internet. It is during these times that the potential for malware contamination of the devices is the greatest. Once these devices come back to the home network, the real damage happens. Using a traditional firewall, no protection is given to the devices on the network behind the firewall, and the malware can wreak havoc infecting all of the third part devices it can find and connect to.

Many of the user's mobile devices such as phones, tablets, laptops and PCs will have endpoint protection. If it is up to date and performing properly, they may be protected, but what about all of the other smart devices on the network? Hubs, control systems, TVs, refrigerators, Network attached Storage (NAS), lights, shades, printers, scanners, locks, and assistants like Amazon Echo and Google Home? These devices are tempting targets as they are usually powered on 24/7, have very little security, and run no anti-virus or malware protection applications.

This is where the bad apple being introduced to your network can ruin everything. A couple of questions you need to ask in this scenario.

1. If this happens, how will I know if my IoT devices are compromised? How does one detect malware on a refrigerator, camera or TV?2. If I do determine that my IoT devices are compromised, how do I remove the malware?

No too long ago I had a discussion with an integrator that ran into this very issue on a campus of four buildings they had under contract. The network became infected through the introduction of a compromised thumb-drive to a PC behind the firewall. As malware spread freely through the network, things became very slow and unreliable. They returned two weeks in a row to clean the tablets, PCs and mobile devices. Each time the malware returned to the network within a matter of days. Finally they brought in an expert and identified that the malware was in the security cameras and was re-infecting the network each time they cleaned it. They had to take each camera and one-at-a-time isolate it from the network to watch the traffic and attempt to identify whether malware was present. Once it was identified, the firmware was re-flashed in an attempt to recover the camera. I know the process took weeks of valuable time for the integrator.

To minimize the chance of this happening to you and your clientele,

1. Use proper VLAN separation of IoT, control, security, and dirty Internet devices2. Implement secure DNS on site3. Use an actively updated Intrusion Detection & Prevention System (IDPS) that inspects all traffic (inbound, outbound, and between VLANs)4. Actively filter known malicious websites and server addresses on the Internet and dark web5. Use a Virtual Private Network (VPN) client & server to protect your mobile devices while out in the dirty Internet environment6. Keep an up-to-date end-point protection on your mobile devices and PCs7. Secure all of your network devices with unique and complex passwords8. Never port forward anything through your primary firewall - use VPN instead9. Use a high performance firewall with deep packet inspection capability10. Make sure to install patches and updates to devices as soon as they come out11. Use Geo-blocking to block unsolicited access to your network by foreign countries12. Monitor device and network health remotely

If you have any security concerns or questions or want to learn how to build your RMR business around cyber-security, please feel free to call us at FIREFX or stop by booth #3153

Everybody uses cloud services. It's almost unavoidable today; the moment you set up a computer or smart device, it prompts you to create an account in order to download apps and updates, then proceeds to automatically back up your contacts and other information to the cloud. At any given moment, your phone or computer could even be uploading your photos, location data, browsing/shopping data, and social media activities to the cloud, if you have such features enabled (Which by default usually are). Even if you try your best to avoid it, it's likely that you have some information sitting in the cloud - except that there is no such thing as "The Cloud". "The Cloud" isn't "The Cloud", it is just space on other peoples' computers residing on the Internet.

Think about your daily online activity. Chances are you sent a few emails via Gmail, moved some new family photos or other files to an online storage service, perhaps created some new posts for your blog, and updated your LinkedIn, Pinterest, Facebook or Twitter accounts. But where does that data you upload go?

Here in America, we are used to having our rights of privacy, protected by the 4th amendment of our Constitution.

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

But even in America, these rights can be, and are regularly waived through verbal agreement and/or written contract. I know this as a fact as a member of the Military and former member of the Law Enforcement community. Have you ever read your "Terms of Service" agreement for the cloud services you use? No one reads those, right?

If you ask anyone, they will tell you that "The Cloud" is simply a place in the Internet where they can store and access their own data through Drobox, Microsoft OneDrive, Google Drive, iCloud, Box, Azure, AWS, etc. But who owns the data once it is placed on the "Cloud"?

"Surely it remains my data," you might think, "I own it."

Data ownership on other people's computers raises a whole lot of questions. What are they doing with that data? We have already seen large corporations grant US Government Intelligence Agencies unprecedented access to data they store. Perhaps even more importantly, where is that data physically stored? As I said before, the Cloud doesn't exist, but the computers your data resides on physically do. They have a footprint… somewhere. Is your data being stored in the United States, Europe, South America, or Asia?

The fact is, your online data is likely stored in several different countries, making it impossible to claim ownership of the data you created and "shared" on these cloud services. Even if the data is stored on a friendly country's servers such as in the UK; Currently under English law, there are no property rights in data as such – although this has not necessarily prevented individuals and businesses from treating data as property. A recent judgment in the UK provided the following guidance:

Information stored electronically does not constitute property which someone can exercise possession of, judges in the UK have ruled.

The Court of Appeal rejected arguments to the contrary and refused to interpret existing laws in a manner which would, it admitted, "have the beneficial effect of extending the protection of property rights in a way that would take account of recent technological developments".

The judges said that whilst it is possible to exert control over electronic information it is not possible to gain possession of it. The distinction was drawn in a case concerning a dispute between a publisher and an IT supplier.

So what is the bottom line? So long as markets exist for buying or selling user data and individuals regularly disclose their personal data in exchange for goods and services, any user data stored on "The Cloud" will be at risk.

Think twice before clicking send; uploading all your files onto a third party "Cloud" service. Other options to consider include local backup and file storage to a Network Attached Storage (NAS) and/or privately owned "Cloud" systems via the Internet.

Large businesses with Enterprise level services and infrastructure already accomplish this, enjoying greater levels of "off grid" security with privately hosted storage and services. Enterprise level security and computing is currently pushing its way down into the home, SOHO, and Small to Mid-sized Business (SMB) environments. This issue will continue to grow in importance going forward, especially to the SMB and high net-worth individuals in the market who wish to guard their intellectual property, trade secrets, and personal data.

FIREFX will address this problem with its newest security ecosystem offering; The DATA VAULT. The DATA VAULT will offer private cloud storage services (hosted from the home, SOHO or SMB) and encryption proof data storage to protect against ransomware attacks.

Often in our network security presentations we discuss printers as being a prime target for hackers. After a few days of cyber-security demos while at InfoComm 2017, we actually had IT team members from a well know University come up to us and confide that all of their printers had been hacked. In fact they did not know for how long these printers had been compromised. They only learned of the hack when the hacker(s) decided to show their hand; instructing the printers to all print bomb threats simultaneously.

In February 2017, a white-hat (good guy) hacker with the handle "Stackoverflowin" hacked 160,000 printers to "raise awareness" of their vulnerabilities. Using his own automated script, Stackoverflowin detected insecure printers manufactured by a wide range companies, including HP, Brother, Epson, and Canon. He instructed the machines to print a document informing victims of the hack with ASCII art interspersed throughout. Had he been a black hat hacker, he would have never let his presence be known. He would have instead made the printer his remote listening post for all things digital..

But why do hackers like printers so much? Let's unpack this shall we?

A hacker will most likely enter your network from a mobile device or PC (behind the firewall). Usually with a successful phishing attack, infected web link, or previously infected device joining your Wi-Fi. Once the hacker is on your network, knowing that the PC will likely leave the network or shut down in the near future, he/she will look for a more permanent device to set up shop in.

The device they look to hack will meet the following criteria:

1. Reside permanently on the network2. Have rudimentary to no security3. Have no antivirus program running4. Be "up" on the network 24/7

Devices that meet these requirements include most IoT devices including cameras, baby monitors, smart bulbs/sockets, control systems, etc... And of course printers. Now printers are most desirable because, in addition to the above, they meet the following criteria:

1. Relatively powerful processor/architecture2. Large amount of RAM and on board storage space for more comprehensive hacking tools3. Ability to automatically send pdf copies of all print jobs and scanned documents via daily email to hacker

The average hack takes three hours to complete and is not detected for 260 days. How would you determine if a printer on one of your networks was hacked? What would you do about it if you did discover a hacked printer?

Networked printers can be a hacker's long-term gateway into an entire business or private residence. Printers typically receive, process, store and print extensive sensitive data, from intellectual property to personally identifiable information (PII) and protected health information (PHI). Accordingly, they present a golden opportunity for attackers to commit long term data breaches, achieve financial gain or bring about reputational damage.

Many attackers use malware in the form of automated printer attack tools or other methods to compromise printers through network connections. Once a hacker succeeds, that breach can be leveraged for many purposes. The most common aims are gaining unauthorized access to any information being sent to that printer, and using the printer as a starting point to infiltrate other systems.

Given these risks, we should take stock of printer-related concerns and develop a realistic plan to address them.

For more information of securing printers and other IoT devices, feel free to contact me or my team members at FIREFX.

The FIREFX DATA VAULT is a unique military-grade solution combining hardware and software to address one of the fastest-growing cyber-security concern: Ransomware attacks. With the rapid rise of malware based ransomware attacks, businesses and consumers alike need their data protected. It is with this in mind that FIREFX is proud to announce a ransomware proof DATA VAULT as part of our cyber-security solution, to allow for on-premises safe storage of important data and backups.

The Data Vault stores your files in a protected "unencryptable" format locally for quick retrieval in the case of a ransomware attack. No need to pay the ransom; just restore your machines locally and resume business as usual accessing your local files from their protected storage.

FIREFX has provided a completely secure product pre-configured by some of the best military-trained cyber-security experts utilizing the same tools, techniques and best practices used to protect Top Secret data. We did the hard work for you so you don't have to become a cyber-security expert to protect your clientele. In addition to this, when paired with our NETWORK GUARDIAN Next Generation Firewall, we continue to serve as your cyber-security concierge, remotely monitoring and supporting the DATA-VAULT as needed.

With the current state of the Internet and Internet of Things (IoT) cyber-security, there is a great need for a real and meaningful security standard that can be deployed to homes. FIREFX has developed a product that can be professionally designed and customized to address the security needs of the 21st century smart home.

The FIREFX Network Guardian is a Next Generation Firewall & Unified Threat Management (UTM) device that replaces the traditional router/firewall in a smart home, adding superior performance, proactive IoT protection, cyber-security and data protection. The Network Guardian does this by combining a military-grade intrusion detection/protection platform and firewall to the traditional router in a superior hardware chassis.

Just as a home security system ensures your physical safety, the FIREFX Network Guardian ensures your cyber-security. The Network Guardian is the first dedicated security router/firewall designed specifically for IoT smart home and small to mid sized business deployments. With pre-configured monitored VLANs for control systems, PC/wireless devices, guest access, and kid-safe protected Internet access, the Network Guardian can be fine-tuned by a professional home systems integrator to meet your specific needs.

How does it work? In simplest terms, the VLANs create a separation in the network traffic, allowing for granular content filtering and creating inspection points as traffic traverses the router. As traffic crosses between VLANs or goes in or out of the router, it is carefully inspected for known threats by comparing it to threat patterns that are downloaded twice daily to protect your network from emerging viruses and malware. In addition, the Network Guardian continually analyzes your traffic, learning what is normal and flagging suspicious traffic for closer scrutiny. Traffic identified as malicious is immediately shut down, protecting the entire network from cross contamination.

A major ransomware attack has affected many organizations across the world reportedly including Telefonica in Spain, the National Health Service in the UK, and FedEx in the US. The malware responsible for this attack is a ransomware variant known as 'WannaCry'.

The malware then has the capability to scan heavily over TCP port 445 (Server Message Block/SMB), spreading similar to a worm, compromising hosts, encrypting files stored on them then demanding a ransom payment in the form of Bitcoin. It is important to note that this is not a threat that simply scans internal ranges to identify where to spread, it is also capable of spreading based on vulnerabilities it finds in other externally facing hosts across the internet.

The WannaCry ransomware attack is not over, but there is still time to take some immediate steps to protect your data on systems. Although your network may have been protected by the Network Guardian, your systems are still very vulnerable once they leave the protection of your "hardened" environment. You must share these steps with your customers to ensure their data is protected.

Ensure all Windows-based systems are fully patched. At a very minimum, ensure Microsoft bulletin MS17-010 has been applied.

In accordance with known best practices, any organization who has SMB publicly accessible via port forwarding to the internet (ports 139, 445) should immediately block inbound traffic by shutting these down.

In addition to these steps. the following best practices are recommended.

Ensure your customer is running an actively supported operating system that receives security updates (i.e. Not Windows XP or earlier).

Have an effective patch management program that deploys security updates to network endpoints and other critical parts of your infrastructure in a timely manner.

Implement a disaster recovery plan that includes backing up and restoring data from devices that are kept offline or protected. Adversaries frequently target backup mechanisms to limit the possibilities a user may be able to restore their files without paying the ransom.

CE Pro presents the 2017 Quest for Quality Awards, recognizing outstanding service by manufacturers and distributors.

Every integrator knows that the key to their success is customer service. In the end, it doesn’t matter how technically advanced the equipment is that you have installed, if you don’t provide great customer service to your clients, you have failed.

The same holds true for manufacturers and distributors. Their warehouses and factories are laden with the most sophisticated home entertainment equipment in the world, but if they fumble in their interactions with integrators, they have likewise have failed.

That's why CE Pro's annual Quest for Quality Awards gauges not products, but services. Now in its seventh year, the Q4Q Awards recognize outstanding service by manufacturers and distributors. (See last years' Q4Q awards here.)

It really is a coveted award because it represents the individuals that work hard every day to satisfy integrators with tech support, warranty administration, dealer programs/incentives, lead generation, shipping policies, dealer protection policies, trade show presence, website, dealer portal, social media presence, training programs, sales and marketing help, and general communication.

This year, two new categories were added to the slate: software support and recurring monthly revenue (RMR) support programs.

In the end, people like doing business with people they trust and like. The better support integrators receive from their suppliers, the better services they ultimately are able to offer to their end-user clients.

What makes the CE Pro Q4Q accolades so special is that nominations and votes come directly from integrators — more 7,400 votes this year.

We asked the winning companies to express why they think dealers honored them, and several have provided photos of their teams so you can see the faces behind the services.

Q4Q Award In Silver For Superior Tech Support

Technical Support

“FIREFX stands apart from the competition in many ways, but prime among these differences is the way our company was forged in the crucible of military service to this country. While not all of our members have military backgrounds, most do, and we actively strive to maintain the warrior ethos in our halls and corporate culture, honoring the spirit of those of us who have and continue to serve. The dedication we carry forward to FIREFX is one of the byproducts of the founders’ experience on and off the battlefields of the world embracing the values of Loyalty, Duty, Respect, Selfless Service, Honor, and Personal Courage (LDRSHP) in everything we do, including our daily interaction with our customers. We take great pride in this and our team is honored to be recognized as one of the best in this industry.” —Larry Allhands, President/CEO

This is the second in a new series called "Hello, Friend". In this series, FIREFX's US Army trained Cyber-Experts will tackle common and emerging cyber-threats and cyber awareness and try to keep it at a level that anyone (even a non-hacker) can understand. Our goal with this series is to better educate you and help you and your clientele become a "Hard Targets" to hack.

If you have questions regarding this or other cyber-security threats please feel free to email or call us directly.

"Hello Friend... Pineapples, VPNs, And The Man In The Middle"

WHO

Pineapples can be used in selective, targeted attacks to compromise individuals or organizations, or they can be used to infect mass targets at large public gathering places with open network such as hotels, airports and coffee shops. these target rich environments allow hackers to infect large groups of users for later exploitation. Hacked accounts can be either manually exploited later or sold in blocks for Bitcoin on the dark web.

WHAT

Have you or any of your clients ever used public WiFi at a hotel, airport, coffee shop, or store? Then you may be susceptible to an automated Man-In-The-Middle (MiTM) Attack that can hack your computer in a matter of minutes with a Fully Undetectable (FUD) exploit running in the background. How might you ask? By using one of the hacking communities favorite tools... a WiFi Pineapple.

Basically Wifi Pineapple (https://wifipineapple.com/)is a WiFi honeypot that allows users to carry out MiTM attacks. WiFi Pineapples can cost as low as $99. Connected clients’ traffic go through the attacker which makes the attacker capable of pulling a number of tricks. The WiFi Pineapple is equipped with 2 radios it can work in client mode meaning it can piggyback on a nearby legitimate WiFi network and bridge the victim’s connections.

MiTM attacks make it possible for hackers to potentially see or manipulate Internet traffic which the user believes to be private. Almost any type of Internet connection can be hacked in this way, if the end user is compromised or the platform itself is vulnerable. MiTM attacks allow hackers to insert themselves between the user and the website or service she is trying to use. This allows them to read the victim’s emails, see what websites they’re visiting, steal valuable personal information, or impersonate the user by stealing session cookies, passwords and more.

HOW

KARMA: At the heart of the pineapple lies a nifty attack tool called KARMA. It works by exploiting trusting devices to probe requests and responses. The KARMA attack takes advantage of your wireless devices that send probe requests to determine which wireless networks are nearby. The attack is relatively straightforward, but I find that some pictures can help illustrate the situation. First, let's look at an association that is proper and secure:

The Wi-Fi access point periodically sends out a beacon frame that indicates the network SSID, which identifies the Wi-Fi network. When a client system receives a beacon frame with an SSID that it remembers, it may associate with the wireless network.

Now let's look at a client system that is tricked by KARMA:

Rather than passively monitoring beacon frames from access points, the client here sends out a probe request for networks that it knows about. The KARMA attack becomes obvious. The attacker simply needs to listen for the client to send a probe and respond as the SSID that the client requested. The impact is that a client system may connect to a network other than the one the user expects. At this point, the attacker can perform MiTM or other attacks on the client system.

Your wireless devices, by default, constantly try to connect to the last networks they were on. To accomplish this they actively scan their wireless neighborhood by sending out probe requests. (A probe request is a special frame sent by a client station requesting information from either a specific access point, specified by SSID, or all access points in the area, specified with the broadcast SSID.)

Normally, access points (AP) that don’t broadcast the requested SSID just ignore the probe request. The correct AP responds with a probe response and the client initiates association with the AP again. That’s how we connect to our home or work network as soon as we arrive. That is convenient and user-friendly but the malicious devices running Karma attack can break this “honor-code” based system. The pineapple responds to whatever AP the device is asking for therefore deceiving it into believing they are home, in a coffee shop, airport or hotel.

EVIL/INFERNAL TWIN: Evil twin is a term for a rogue Wi-Fi access point that appears to be a legitimate one offered on the premises, but actually has been set up to eavesdrop on wireless communications. An evil twin is the wireless version of the phishing scam. An attacker fools wireless users into connecting a laptop or mobile phone to a tainted hotspot by posing as a legitimate provider. this can also be implemented with a Pineapple WiFi device.

The evil twin AP is an access point that looks and acts just like a legitimate AP and entices the end-user to connect to our access point. This type of evil twin attack may be used to steal the passwords of unsuspecting users by either snooping the communication link or by phishing, which involves setting up a fraudulent web site and luring people there.

The Infernal Twin is an automated Evil Twin tool that will automatically collect a mass information and dump them into files to be used later. This allows the hacker to sit back and enjoy their coffee at the coffee shop or watch their favorite show in the hotel room while hacking everyone around them.

MAN IN THE MIDDLE ATTACK: Once the hackers as used the KARAM or Evil Twin technique to compromise you, they will launch a MiTM attack. A MiTM attack is a type of cyberattack where a malicious actor inserts him/herself into a conversation between two parties, impersonates both parties and gains access to information that the two parties were trying to send to each other. The MiTM attack allows a malicious actor to intercept, send and receive data meant for someone else, or not meant to be sent at all, without either outside party knowing until it is too late.

Man in The Middle Attack via Pinapple Wifi

Sometimes referred to as a session hijacking attack, MiTM has a strong chance of success when using tools like the WiFi Pineapple where the attacker can impersonate each party to the satisfaction of the other.

A common method of executing a MiTM attack involves distributing malware that provides the attacker with access to a user’s Web browser and the data it sends and receives during transactions and conversations. Once the attacker has control, he can redirect users to a fake site that looks like the site the user is expecting to reach. The attacker can then create a connection to the real site and act as a proxy in order to read, insert and modify the traffic between the user and the legitimate site. Online banking and e-commerce sites are frequently the target of MITM attacks so that the attacker can capture login credentials and other sensitive data.

COUNTERING IT

Since this typically affects devices out in the public, all of your security devices at the home or office can't protect you for a Pineapple attack. And worse yet, once your wireless device is infected, it can spread malware across your network infrastructure upon re-introduction to your "secure" wireless network at home or the office.

Avoid Connecting To Open Networks:

If you are in the habit of using open WFfi networks one day you might come across one of those pineapples in your coffee shop and hand over your data unknowingly to a guy sitting in the table next to you! Even without this risk you should never use networks that you have no control over but this kind of risk makes it even more important. Of course if you travel and rely on Hotel and Airport open wireless connections, then;

Clear out any open WiFi networks that your system remembers:

The steps to perform this action will vary from platform to platform. It is important to realize that any open network that you have ever connected to during the life of your system can open it up to KARMA attack right now. Note that some platforms, such as Apple IOS, only allow users to forget WiFi networks that are nearby at the time.

Always Use A VPN Connection:

If you must use open networks, always use a VPN. When you are using VPN your traffic is encrypted and sent through a secure channel. In this case, even if an attacker is able to get your traffic they will not be able to make any sense of it.

Pay attention to the WiFi networks that your device connects to:

With most platforms, the WiFi status simply indicates "connected" or "not connected" unless you dig into the details. Especially since WiFi connections can fluctuate, it can be impractical to click into the WiFi details constantly. Some applications can help indicate, without requiring clicks, the current WiFi status, such as which SSID the system is connected to.

Disable WiFi when you're not using it:

Leaving WiFi enabled constantly causes an increased attack surface. Whether it's KARMA or other WiFi-related attacks, leaving WiFi off when it is not required can help to keep a system safer.

Wireless networks provide great convenience to us but comes with risks and vulnerabilities (as all conveniences in IT). The hardware is getting smaller and more powerful everyday so the tools like WiFi Pineapple are getting more threatening. It’s important to keep an eye on what kind of risks are out there and learn how to avoid those risks.

FIREFX is offering a course scheduled in Vancouver, BC on Thursday the 23rd of March and have added an additional on-line class on Wednesday the 29th of March.

These courses are being offered this month by US Army trained Network Engineers from FIREFX. These engineers are graduates of the US Army Cyber-College, are "Security +" Certified, and have a great deal of experience securing Top Secret networks and utilizing proven tools, tactics & techniques to deploy Enterprise network security in a variety of environments. Join them as they explore the challenges presented by IoT devices in the smart home and business environments and solutions to counter these challenges.

On Wednesday, 3/19/17 FIREFX will host a free online course (CEUP661 “Basics of Securing IoT Networks for the Home and Business” worth .75 CEUs. The class starts at 1:30 PM CST and you can email training@firefx.net to request a seat.

Seating is limited for this on-line course to 25 seats.

On Thursday, 3/23/17, the same free class will be offered in person in Vancouver, BC at the Westin Wall Centre for the Stampede “Big Book of AV Tour” at 1:30PM PST.

Basic Security: This is a basic security course. You will not be an IoT security expert at the completion of this course. What you will be able to do upon passing this course is the following.

Define what an IoT device is

Identify security threats introduced to networks by IoT devices

Understand the anatomy of a network hack

Identify potential exploitable vulnerabilities in network designs

Identify best practices for securing networks with IoT devices, including

Geo-Blocking

VLAN Separation

Intrusion Detection/Prevention System (IDPS)

Distributed Denial Of Service (DDOS) Protection

Proper VPN Use

This course is approximately 1.5 hours long and includes an open Q&A session and written exam. Successful completion of the course and passing in the exam (70%) will earn you a certificate and .75 CEUs.